Microsoft has developed a groundbreaking approach to combat phishing by creating realistic-looking honeypot tenants on Azure, designed to lure cybercriminals into fake environments. These honeypots, created by Ross Bevington, are populated with thousands of user accounts and mimic internal company activity, including email communications and file-sharing. When phishers use stolen credentials to access the fake tenants, Microsoft collects valuable intelligence on their tactics, techniques, and procedures, including IP addresses, browsers, location, and phishing kits used. This deception technology, part of the Microsoft Deception Network, helps the company better detect and block malicious emails, wasting attackers’ time and resources. By slowing down responses and monitoring every action, Microsoft can attribute attacks to specific groups, such as financially-motivated or state-sponsored actors like the Russian Midnight Blizzard (Nobelium) threat group. The honeypots have already blocked over 40,000 connections to Microsoft resources and are a key part of the company’s efforts to protect customers. This active approach, which Bevington calls “hybrid high interaction honeypots,” is a departure from traditional honeypot strategies that wait for attackers to discover them. The intelligence gathered from these honeypots allows Microsoft to improve its defenses and create more complex profiles of threat actors, ultimately enhancing the security of its customers.
